CVE-2017-15124

EUVD-2017-6585
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
qemuqemu
𝑥
≤ 2.11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bookworm
1:7.2+dfsg-7+deb12u7
fixed
bullseye
1:5.2+dfsg-11+deb11u3
fixed
bullseye (security)
1:5.2+dfsg-11+deb11u2
fixed
jessie
ignored
sid
1:9.1.1+ds-2
fixed
trixie
1:9.1.1+ds-2
fixed
wheezy
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
artful
Fixed 1:2.10+dfsg-0ubuntu3.5
released
trusty
ignored
xenial
ignored
zesty
ignored
qemu-kvm
artful
dne
trusty
dne
xenial
dne
zesty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/102295
https://access.redhat.com/errata/RHSA-2018:0816
https://access.redhat.com/errata/RHSA-2018:1104
https://access.redhat.com/errata/RHSA-2018:1113
https://access.redhat.com/errata/RHSA-2018:3062
https://bugzilla.redhat.com/show_bug.cgi?id=1525195
https://usn.ubuntu.com/3575-1/
https://www.debian.org/security/2018/dsa-4213
http://www.securityfocus.com/bid/102295
https://access.redhat.com/errata/RHSA-2018:0816
https://access.redhat.com/errata/RHSA-2018:1104
https://access.redhat.com/errata/RHSA-2018:1113
https://access.redhat.com/errata/RHSA-2018:3062
https://bugzilla.redhat.com/show_bug.cgi?id=1525195
https://usn.ubuntu.com/3575-1/
https://www.debian.org/security/2018/dsa-4213